Award-winning news, views, and insight from the ESET security community

Gamers warned after hi-tech malware leapfrogs World of Warcraft’s security with fake website

Players of the hit game have been targeted with a Trojan disguised as a semi-official add-on client for the game, made by Curse - but it is fake, laced with a Trojan which steals passwords, account emails and authenticator information at once, Blizzard said.

Players of the hit game have been targeted with a Trojan disguised as a semi-official add-on client for the game, made by Curse – but it is fake, laced with a Trojan which steals passwords, account emails and authenticator information at once, Blizzard said.

A Trojan has targeted World of Warcraft players with a hi-tech attack that bypasses the two-factor authentication system offered by Blizzard’s hardware and app authenticators. The Trojan is disguised as a semi-official add-on client for the game, made by Curse – but is laced with a Trojan which steals passwords, account emails and authenticator information at once, Blizzard said.

Gamespot reported that Blizzard kept gamers up to date with the attack as it unfolded via a series of posts on the official forums. The online game still has 7.6 million subscribers, and is a frequent target of attacks due to the real-world value of in-game gold and other items, Gamespot reported.

This attack was more hi-tech than most – using a fake website, and fake software to bypass Blizzard’s security systems. Blizzard said that it had not seen a sophisticated attack of this sort in “years” but promised that the Authenticator kept accounts safe “99% of the time” according to Computer and Videogames.

In an official statement, Blizzard warned gamers that the malware is built into a fake, modified version of the popular Curse add-on client – used by gamers to add ‘extra’ functions such as damage counters to the game.

The fake Curse website and Curse add-on ranked highly in Google searches Blizzard said – tempting gamers to download, “This site was popping up in searches for “curse client” on major search engines, which is how people were lured into going there.”

It’s not confirmed how the cybercriminals manipulated search results in this way, but this use of illegal ‘black hat’ search-engine tricks is becoming a common tactic.

Last year, a strain of the Nymaim ransomware used similar techniques to trick browsers into downloading it, according to this We Live Security post by Jean-Ian Boutin, who said, “Our analysis of some of the webpages that initiate these malicious downloads reveals that Black Hat SEO is used to make them appear as high as possible in the search results when people search for popular keywords.”
“
At this point, it seems the easiest method to remove the Trojan is to delete the fake Curse Client and run AV scans,” Kaltonis, a support forum agent said.

Blizzard’s post offers a link to a detailed manual method for removing the malware. Kaltonis said, “For those of you interested in these man-in-the-middle style attacks, this is the only confirmed case we’ve seen in several years. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!”

A detailed We Live Security guide to how to avoid some of the pitfalls of PC gaming can be found here – including tips on how to spot “bad” add-ons for PC titles.